Your account will be closed in 24h!

Yahoo phishing

Thursday night and checking Facebook on my mobile before going to sleep. One of my friends is complaining about how hard it is to use Yahoo mail abroad. Problem logging in and now there’s some problem with the account. “Your E-mail account has exceeded its limit and needs to be verified, if not verified within 24 hours, we shall suspend your account. Click Here to verify your email account now.” And when you try to resolve it, it doesn’t even work. You just end up on the login page! Damn Yahoo!

Stop! This message is not about a problem with the mail system, it’s a very typical phishing mail. I responded with a warning, and yes, the link had indeed been clicked and the credentials entered on a page that looked like the Yahoo login page. That made my friend a phishing victim like so many other Internet users. It was the beginning of a long night trying to figure out how to change the mail password using a tiny mobile screen. But the case came to a happy end. The password was apparently changed before the attackers had a chance to take benefit from the account, thanks to the swift reaction.

How to spot a phishing attempt?

  • It arrives as a mail message. Mail can be sent by anyone and it is trivial to spoof the sender’s address so that it seems to come from your mail operator or some other company you trust.
  • People think less when they are afraid so it tries to create a sense of danger. Something bad will happen unless you react. The closure of your account is a very common threat when phishing for e-mail accounts.
  • People think less when in a hurry so it tries to create a sense of urgency. You need to act right now. This lowers the risk that the victim checks out the facts first. The 24h deadline is a typical trick to achieve this.
  • It links to a web page that looks like an official page of, for example,  your mail operator. But it is actually controlled by the attacker, who also receives any information you enter. You are hacked if you enter your mail user name and password, or other valuable information.

My friend is not a computer newbie, and did in theory know all this. But the attack succeeded anyway. How is this possible? Imagine that it is late in the night and you are tired. There are other people distracting you. You are traveling and really depending on your mail account. And on top of that, you have had problems and expect even more trouble with this operator. So this is a very typical situation where the fingers can be faster than the brains. This is really the optimal situation for an attacker to hit, and they happened to send this phishing mail at the right wrong time.  Honestly, are you sure this couldn’t happen to you?

Ok, so what should I do to avoid being phished?

  • First of all, do not click links in mails! This is not just about phishing, many get malware too by clicking links. But there are also legitimate links that friends send to you. So you should always think about who the sender is (remember, the apparent sender can be spoofed), in what style and language the message is written, what the claimed content of the link is and how does all this fit together? To summarize, do I expect this kind of message from this person (or company) at this time? This way you should be able to spot the legit links.
  • If in doubt, check what address the link is taking you to before you click. Note that the text forming the visible part of the link may look like a web URL but still be linked to a totally different address. Hover the mouse pointer over the link and examine the address that the mail client or browser shows you. Make sure that the address match the company or site that the link is claimed to point to. For example: The login to Gmail should start with “https://accounts.google.com/” but a phishing site targeting Gmail may use an address like “http://accounts.google.com.etw368hj.nu/”. The latter does NOT belong to Gmail.
  • Get familiar with the login URLs of your favorite services BEFORE you run into a phishing mail. Then it is a lot easier to spot the spoof. The address may look long and nerdy, but you only need to mind the part after the double-slash “//” but before the first single slash. That part identifies the server that you will access. (Your browser may show the address without the initial “http://”, in that case just examine the part before the first slash.)
  • Get familiar with the concept of secured web pages and how to recognize them. Login pages of important services are typically protected this way. Their addresses start with “https://” instead of “http://” and your browser shows a lock or similar symbol next to the address field. You can examine the certificate of the server you are connected to by clicking the lock, and this is reasonable hard proof about who’s running the service. Needless to say, the phishing sites can’t duplicate these cryptographic certificates.
  • If you suspect that there really may be a problem with your mail account, then log in with the link that you normally use to access the account. Do not use a link in a mail message. Look for info banners and pop-up messages shown in the browser after you have logged in. These messages are a lot more reliable and can generally be trusted. Mail operators are well aware of the phishing threat. If you get a mail claiming that there’s a problem, then you can be pretty sure that it isn’t true. The mail operators do not communicate in that way.
  • If you still fall for the scam, attempt to change your password right away. This is also a good time to think about if you have used the same password on other services. Say that john.doe@gmail.com is using the same password as john.doe@hotmail.com. If one get hacked, then the hacker just need to try some of the common mail services to get access to more accounts. This would be a good time to brush up your password practices.

As a practice, examine the link above and try to figure out where it points and what company it belongs to without clicking it.

Safe surfing,
Micke

Phishing @ Wikipedia.

Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.

More posts from this topic

15855489588_6c209780a9_b

How “the Cloud” Keeps you Safe

“The cloud” is a big thing nowadays. It’s not exactly a new concept, but tech companies are relying on it more and more. Many online services that people enjoy use the cloud to one extent or another, and this includes security software. Cloud computing offers unique security benefits, and F-Secure recently updated F-Secure SAFE to take better advantage of F-Secure’s Security Cloud. It combines cloud-based scanning with F-Secure’s award-winning device-based security technology, giving you a more comprehensive form of protection. Using the cloud to supplement device-based scanning provides immediate, up-to-date information about threats. Device-based scanning, which is the traditional way of identifying malware, examines files against a database saved on the device to determine whether or not a file is malicious. This is a backbone of online protection, so it’s a vital part of F-Secure SAFE. Cloud-based scanning enhances this functionality by checking files against malware information in both the local database found on devices, and a centralized database saved in the cloud. When a new threat is detected by anyone connected to the cloud, it is immediately identified and becomes "known" within the cloud. This ensures that new threats are identified quickly and everyone has immediate access to the information, eliminating the need to update the database on devices when a new threat is discovered. Plus, cloud-based scanning makes actual apps easier to run. This is particularly important on mobile devices, as heavy anti-virus solutions can drain the battery life and other resources of devices. F-Secure SAFE’s Android app has now been updated with an “Ultralight” anti-virus engine. It uses the cloud to take the workload from the devices, and is optimized to scan apps and files with a greater degree of efficiency. Relying on the cloud gives you more battery life, and keeps you safer. The latest F-Secure SAFE update also brings Network Checker to Windows PC users. Network Checker is a device-based version of F-Secure’s popular Router Checker tool. It checks the Internet configuration your computer uses to connect to the Internet. Checking your configuration, as opposed to just your device, helps protect you from attacks that target home network appliances like routers – a threat not detected by traditional anti-virus products. So the cloud is offering people much more than just extra storage space. You can click here to try F-Secure SAFE for a free 30-day trial if you’re interested in learning how F-Secure is using the cloud to help keep people safe. [Image by Perspecsys Photos | Flickr]

June 30, 2015
BY 
business security cyber defense

You have new e-mail — or, how to let hackers sneak in with a single click

This is the first in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. A rainy, early spring day was slowly getting underway at a local council office in a small town in Western Poland. It was a morning like any other. Nobody there expected that this unremarkable day would see a series of events that would soon affect the entire community... Joanna Kaczmarek, a Senior Specialist in the council’s Accounting Department, rushed into her office a little late, but in a good mood nonetheless. Before getting down to work, she brewed herself a cup of coffee and played some music on her computer. Several days earlier, she had finally installed a music app on her PC so she could listen to her favourite tunes while she worked. This had taken some effort though, as she had needed administrator’s access to her computer. It took a lot of pleading and cajoling, but after a week the IT guy finally gave in. Joanna had no idea that she was opening a dangerous gap in the council’s IT system. That morning, Joanna launched, as she had countless times before, a government issued budget management application. With a few clicks, she made a transfer order for nearly twenty thousand zloty. The recipient of the money was a company that had won the contract for the renovation of a main road in the town. The whole operation took seconds. Two days later, the owner of the company phoned Joanna, asking about the advance he was supposed have received. “I can’t get the work started without that money”, he complained in an annoyed voice. Joanna was a little surprised and contacted the bank. The bank confirmed the operation, saying that there was nothing suspicious about it. Joanna, together with the Head of the IT Department, carefully ran back over the events of the day of the transfer. They found nothing out of the ordinary, so started checking what was happening on Joanna’s computer around the time before the transfer date. They soon found something: nearly a week prior to the date of the missing transfer, Joanna had received an email from the developer of the budget management software. For Joanna, the message hadn’t raised any red flags; the email contained a reminder about a software update and looked very legitimate. It contained the developer’s contact data, logo and telephone number. Everything was in order… Everything except for a change of one letter in the sender’s address. Joanna hadn’t noticed – a “t” and an “f” look so alike when you read quickly, don’t they? Unaware of the consequences, Joanna followed the link that was to take her to the update website. With just one click of her mouse she started a snowball of events that ultimately affected each and every resident of the town. Instead of the “update”, she downloaded dangerous spyware onto her computer. In this way, the cybercriminals who orchestrated the attack learnt that the woman was a Senior Specialist in the Accounting Department and was responsible for transferring money, including EU funds. The thieves lured Joanna into a digital trap, tricking her into installing software that replaced bank account numbers “on the fly”. As she was processing the transaction, the hackers replaced the recipient’s account details with their own, effectively stealing the money. Joanna would have been unable to install the fake update if she hadn’t obtained the administrator’s rights she’d needed for her music app. All she had wanted was to listen to some music while she worked. If only she had known what the consequences would be... After the attack was discovered, the Police launched an investigation. Joanna was just one of many victims. Investigators discovered that the malware infection was likely to have targeted computers used by local government workers in hundreds of municipalities across Poland. Law enforcement authorities haven’t officially disclosed how much money was stolen, but given the fact that losses may have been underreported, the estimated figures are in the millions of zlotys. On the top of that, Joanna’s town had to wait months for the completion of the roadwork. This was one of the largest mass cyber-attacks against local government in Poland. It certainly won’t be the last one... For small and medium sized enterprises, the average financial loss as the result of a cyber security incident is on average 380 000€. The risk and the lost is real. Don’t be an easy target. We help businesses avoid becoming an easy victim to cyber attacks by offering best in class end-point protection and security management solutions trusted by millions.

May 13, 2015
WhatsApp Scams

WhatsApp Scams: 3 Things you Need to Know

F-Secure Labs reported this week on a new WhatsApp scam that’s successfully spammed over 22,000 people. Spam seems to be as old as the Internet itself, and is both a proven nuisance AND a lucrative source of revenue for spammers. Most people don’t see what goes on behind the scenes, but spammers often employ very sophisticated schemes that can expose web surfers to more than just ads for Viagara or other “magic beans”. Spam typically tries to drive Internet traffic by tricking people into clicking certain websites, where scammers can bombard unsuspecting web surfers with various types of advertising. Profit motives are what keep spammers working hard to circumvent spam blocks, white lists, and other protective measures that people use to try and fight back – and it can pay off. Numerous spammers have been indicted and suspected of generating hundreds of thousands of dollars in revenue from their spam campaigns, with one study projecting that spammers could generate in excess of 3.5 million dollars annually. While most spam circulates via e-mail, the popularity of services like WhatsApp is giving spammers new resources to exploit people, and new ways to make money. Here’s a few ways spammers and cyber criminals are using WhatsApp to make money off users: Following Malicious Links: One way that cyber criminals use WhatsApp to scam people is to trick them into following malicious links. For example, a recent scam sent SMS messages to WhatsApp users telling them to follow a link to update the app. But the message was not from WhatsApp, and the link didn’t provide them with any kind of update. It signed them up for an additional service, and added a hefty surcharge to victims' phone bills. Sending Premium Rate Messages: Premium rate SMS sending malware was recently determined by F-Secure Labs to be the fastest growing mobile malware threat, and WhatsApp gives cyber criminals a new way to engage in this malicious behavior. Basically the users receive a message that asks them to send a response – “I’m writing to you from WhatsApp, let me know here if you are getting my messages”, “Get in touch with me about the second job interview”, and various sexual themed messages have all been documented. Responding to these messages automatically redirects your message through a premium rate service. Spanish police claim that one gang they arrested made over 5 million euros using this scheme – leaving everyday mobile phone users to foot the bill. Manipulating Web Traffic: A lot of spam tries to direct web traffic to make money off advertising. As you might imagine, this means they have to get massive numbers of people to look at the ads they’re using for their scams. Scammers use WhatsApp to do this by using the app to spread malware or social engineer large numbers of people to visit a website under false pretenses. F-Secure Labs found that people were being directed to a website for information on where they could get a free tablet. In March there was a global spam campaign claiming people could test the new WhatsApp calling feature. Both cases were textbook scams, and instead of getting new tablets or services, the victims simply wasted their time spreading misleading spam messages and/or exposing themselves to ads. WhatsApp and other services are great for people, but like any new software, requires a bit of understanding to know how to use. Hopefully these points give WhatsApp users a heads up on how they can avoid spam and other digital threats, so they can enjoy using WhatsApp to chat with their friends. [ Image by Julian S. | Flickr ]

May 8, 2015
BY